xml/XPathStep.h:
Merged node testing into axis enumeration. This saves a lot of Vector resizing and passing, and is necessary for future
optimizations (sometimes, we can just pick the single result node instead of enumerating and filtering the whole axis).

Breaking in the middle of the word
is allowed only if no breaking opportunity between words has occurred yet. The
first position on the line should not be considered "between words" even if
it is a breaking opportunity.

rendering/bidi.cpp:
(WebCore::RenderBlock::findNextLineBreak): Changed according to the above. Also
cleaned up a couple of lines.

Fix for bugzilla bug 13187, place a hard limit on the amount of decoded data that WebCore will keep
around even on live pages (pages being displayed in tabs/windows or in the back/forward cache).
Images will decode to paint and once the decoded data exceeds the cache size, the decoded data will be
tossed.

Refine the flushing algorithm to apply the two-pass decode/evict model to each LRU-SP queue individually, rather
than to all the lists at once. This allows the cache to evict large encoded resources before flushing small
or frequently accessed decoded onces.

Fix <rdar://problem/5076610> Crash in PluginViewWin::updateWindow when
loading a PDF page for the first time after installing Acrobat Reader

Don't call PluginPackageWin::load() until the PluginViewWin has been
inserted into the Widget tree. load() can result in arbitrary code
execution (in this case, a EULA window appears which takes focus from
the WebView, causing Frame::setIsActive(false) to be called), and we
don't want to be in a transitional state when that happens.

plugins/win/PluginDatabaseWin.cpp:
(WebCore::PluginDatabaseWin::createPluginView): Call PluginViewWin's
one and only constructor.

plugins/win/PluginViewWin.cpp:
(WebCore::PluginViewWin::setParent): Call init() after inserting
ourselves into the Widget tree.
(WebCore::PluginViewWin::PluginViewWin): Defer all real work until
init() is called.
(WebCore::PluginViewWin::init): Added. Calls m_plugin->load(), then
does the rest of the work that was once done by the constructor.

WebView/WebView.mm:
cache the value of WebKitUseSiteSpecificSpoofingPreferenceKey in a bool in _private
(-[WebView _preferencesChangedNotification:]):
update the cached value
(-[WebView setPreferences:]):
ditto
(-[WebView WebCore::_userAgentForURL:WebCore::]):
Only spoof here if the new site-specific spoofing preference is enabled. If it is, pass
Safari 2.0.4's user agent string for flickr.com. We can remove this case when 5081617 is addressed.

fix a bug where selecting across a soft line break did not highlight to
the end of the first line if it contained skipped whitespace

Test: fast/text/selection-hard-linebreak.html

rendering/InlineTextBox.cpp:
(WebCore::InlineTextBox::selectionState): Changed to treat a selection that ends on the
end of a hard line break as if it ends after the line break. Fixed the case of a selection
that starts and ends in the same text object as the box but does not intersect it
to return SelectionNone instead of selectionBoth.

platform/win/KeyEventWin.cpp: (WebCore::PlatformKeyboardEvent::PlatformKeyboardEvent):
Removed code to store lowercase characters in m_text. Now that we use the character code
to create m_text this is already taken care of. This does mean that m_unmodifiedText is
not right. This is used for accesskeys, which don't work yet, so that is covered in rdar://5085596.
This also fixes line endings in this file.

editing/execCommand/4917055-expected.txt:
Tests setting a caet before the image and changing its alignment:

editing/execCommand/5080333-1-expected.checksum: Added.

editing/execCommand/5080333-1-expected.png: Added.

editing/execCommand/5080333-1-expected.txt: Added.

editing/execCommand/5080333-1.html: Added.
Tests selecting the image and changing its alignment:

editing/execCommand/5080333-2-expected.checksum: Added.

editing/execCommand/5080333-2-expected.png: Added.

editing/execCommand/5080333-2-expected.txt: Added.

editing/execCommand/5080333-2.html: Added.

WebCore:

Reviewed by darin

<rdar://problem/5080333>
REGRESSION: Selection changes when changing the alignment of an image

Regression occurred when we started using moveParagraphs
to move content in applyBlockStyle. moveParagraphs
moves by copying, deleting and reinserting content, and
so must be accompanied by selection preservation code.
That code uses rangeFromLocationAndLength and rangeLength,
which use TextIterators, which don't emit anything for images
and other replaced elements, causing this bug.

editing/ApplyStyleCommand.cpp:
(WebCore::ApplyStyleCommand::applyBlockStyle): Ask rangeLength
and rangeFromLocationAndLength to request that their
TextIterators emit spaces for replaced elements.
Use rangeCompliantEquivalent()s when creating a Range from
VisiblePositions, since some VisiblePositions have illegal
deepEquivalent()s.

editing/TextIterator.cpp:
(WebCore::TextIterator::TextIterator):
(WebCore::TextIterator::handleReplacedElement): Emit
a space if requested.
(WebCore::TextIterator::representNodeOffsetZero): Emit
ranges before m_node, not around m_lastTextNode. These
ranges should represent the part of the document associated
with the emitted character.
(WebCore::TextIterator::rangeLength): Take in the new bool.
(WebCore::TextIterator::rangeFromLocationAndLength): Ditto.
Also, don't loop an extra time after finding the end of the
range when we're looking for zero length ranges. This appeared
to be a workaround for the bugs fixed in representNodeOffsetZero
in this patch.

html/HTMLBodyElement.cpp: (WebCore::HTMLBodyElement::insertedIntoDocument):
Grab the margin from the frame directly here. There was no real benefit
to doing this via FrameView. Later we can delete quite a bit of unneeded code
here and in WebKit that exists only to set up the margin values in FrameView,
which are now unused.

Rolled out the change for 11866 that made hidden input elements store the value separately from the value attribute.
Added an m_originalValue field that gets set when the element is done being parsed (in closeRenderer). In reset,
use the m_originalValue for hidden input elements.

loader/mac/NetscapePlugInStreamLoaderMac.mm:
(WebCore::NetscapePlugInStreamLoader::didReceiveResponse):
Don't use ResourceResponse:isHTTP here since that only looks at the protocol instead of if the response came from a
HTTP server (and not a web archive).

page/FrameView.cpp:
(WebCore::FrameView::layoutPending): It is not enough to ask if the
layout timer is active. There may be times that we don't have a
body yet so we cannot schedule layout yet, but the root still needs
layout.

WebMutableURLRequest.cpp: (WebMutableURLRequest::isEmpty): Added. Checks whether the ResourceRequest is empty. On the mac,
NSURLRequests created from empty ResourceRequests are nil. We may want to consider that in the future, but there were too
many places in the app that expected the IWebURLRequest to be non-null.

fix <rdar://problem/5074630> detachChildren call should move from WebKit to WebCore

loader/FrameLoader.cpp: (WebCore::FrameLoader::setDocumentLoader):
Add a call to detachChildren() after the call to prepareForDataSourceReplacement().
There was no reason for this crucial loading step to be left to the client.

WebKit:

Reviewed by Adele.

fix <rdar://problem/5074630> detachChildren call should move from WebKit to WebCore

WebCoreSupport/WebFrameLoaderClient.mm: (WebFrameLoaderClient::prepareForDataSourceReplacement):
Remove call to detachChildren. This should be a WebCore responsibility.

Minor refactoring and cleanup of the bridge calls that want to control layout settings on the RenderView.
Have the bridge talk through the FrameView instead of just asking for the RenderView directly.

Add an assert to help catch situations where the RenderView needs layout at paint time, since this is a known
catastrophic scenario that will (much of the time) result in a crash in RenderTableSection::paint.

An NSData object was being alloc/init'd, then returned callers who cast the pointer as a
CFDataRef, including calling CFRelease on it. The problem is that under garbage collection, the NS
retain count is ignored (it's always 0), but the CFRetain and CFRelease are not ignored. This
caused the object to be over-released. The solution that works in both GC and non-GC is to "transfer"
the initial NS retain count to the CF retain count, using HardRetainWithNSRelease.

The creator of the NSData was SharedBuffer::createNSData. The callers were PDFDocumentImage::dataChanged()
and ImageSource::setData(). This particular crash involved the ImageSource::setData() case.

ksvg2/svg/SVGPreserveAspectRatio.cpp: Moved checkString into
SVGParserUtilities.h, so it could be with all its friends. Renamed
"checkString" to "skipString" to match the rest of the code and to be
clear about which functions move the buffer pointer.
(WebCore::SVGPreserveAspectRatio::parsePreserveAspectRatio):

ksvg2/svg/SVGColor.cpp:
(WebCore::parseNumberOrPercent): Check for past the end condition.
(WebCore::SVGColor::colorFromRGBColorString): Reversed "read past end
of buffer, then check if you're past the end" logic.

editing/pasteboard/5075944.html: Added.
Tests that the element that has the text-decoration
and all its descendants down to the common ancestor
are included in the copied markup (instead of the
text-decoration property being treated as though it
were inheritable and placed on the style span wrapper):

We stopped adding markup for all the ancestors
of lastClosed up to the commonAncestorBlock
because it was adding a lot of unnecessary markup.
This caused us to lose underlining when copying a
partially selected underlined element (even though
we put all styles that the copied markup inherits
into a style span, because the text-decoration
isn't inheritable).

editing/markup.cpp:
(WebCore::styleFromMatchedRulesAndInlineDecl): Moved
code here.
(WebCore::elementHasTextDecorationProperty): Added.
(WebCore::createMarkup): If the copied markup has a
text-decoration because some common ancestor has
a text-decoration property set, include that ancestor
and all its descendants in the copied markup.

WebView.cpp:
(WebViewWndProc): Added comments where we do similar work when the webview gets and loses focus. We should merge this logic into updateActiveState eventually.
(WebView::updateActiveState):

Fix for <rdar://problem/5072678> Crash in
RenderLayer::scrollRectToVisible with MallocScribble enabled

I tried to fix this earlier today but my fix caused a regression
scrolling through RSS pages. It turns out that sometimes scroll
events need to propagate immediately, and sometimes they must be
delayed or they risk deleting objects that are expected to be
around after the event has propagated. Mitz's original fix made
sheduleEvent() only delay events that happen during layout. This
fix marks two other places in addition to layout where events also
need to be delayed. These two places are places that were marked
with FIXMEs that Mitz removed in his original patch. (There was a
third FIXME in RenderLayer::updateScrollInfoAfterLayout() but that
case is only called through layout and is covered by Mitz's
original patch.)